Bug 1094123

Summary: OVIRT35 - [RFE][host-deploy] support more ciphers for ssh - upgrade apache-sshd to 0.11.0
Product: [Retired] oVirt Reporter: Alon Bar-Lev <alonbl>
Component: ovirt-engine-coreAssignee: Alon Bar-Lev <alonbl>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Belka <jbelka>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: gklein, iheim, jbelka, oourfali, rbalakri, yeylon
Target Milestone: ---Keywords: FutureFeature
Target Release: 3.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: ovirt-3.5.0-alpha1 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-17 12:44:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1094049    
Bug Blocks: 1007133    

Description Alon Bar-Lev 2014-05-05 06:27:09 UTC 
2013-09-11 21:40:12 EDT Due to older version , SSHClient used in oVirt uses only CBC ciphers. 
Version used in rhevm backend
==
pom.xml:    <sshd-core.version>0.7.0</sshd-core.version>
==

Ciphers used in Apache sshd-core 0.7.0
==
    avail.add(new AES128CBC.Factory()); 
    avail.add(new TripleDESCBC.Factory());
    avail.add(new BlowfishCBC.Factory());
    avail.add(new AES192CBC.Factory());
    avail.add(new AES256CBC.Factory());
==

Ciphers used in Apache sshd-core 0.8.0
==
    //Newly added after a security bug fix
    avail.add(new AES128CTR.Factory());
    avail.add(new AES256CTR.Factory());
    avail.add(new ARCFOUR128.Factory());
    avail.add(new ARCFOUR256.Factory());

    avail.add(new AES128CBC.Factory());
    avail.add(new TripleDESCBC.Factory());
    avail.add(new BlowfishCBC.Factory());
    avail.add(new AES192CBC.Factory());
    avail.add(new AES256CBC.Factory());
==

Only sshd-core-0.11.0 which was just released passes all our tests.
Comment 1 Jiri Belka 2014-07-14 08:51:39 UTC 
Same as d/s - BZ1007133 thus OK.
Comment 2 Sandro Bonazzola 2014-10-17 12:44:46 UTC 
oVirt 3.5 has been released and should include the fix for this issue.